As improved data security increases confidence in the cloud among hospitals and physician practices, mobility and storage initiatives are reaping the rewards.
Historically, the cloud in healthcare has been strong on efficiency, but not so much on security, said Larry Ponemon, chairman and founder of the Ponemon Institute, a data protection research center based in Traverse City, Mich. The idea of storing protected health information (PHI) and other sensitive information in the cloud was frowned upon. That stance has changed in the last few years. Now, providers are stronger on security, which strengthens the case for the cloud in healthcare.
"The big [vendors] have built really strong IT infrastructure, and in many cases, it is much more secure than you would find on premises," Ponemon said. To protect data in the cloud, he noted, IT needs to know where all the sensitive data is located and have a plan for organizing that information. "Not all of that information is equal," he added, "and you want to protect the 'crown jewel' -- the data that is really sensitive and the things that can hurt you a lot if it gets into the wrong hands."
Defending against mobile intrusion
Protecting that information in the cloud becomes trickier because mobile devices are prevalent in healthcare, and more employees expect to use their smartphones and tablets for corporate purposes. While the IT department might provide training to staff on how to secure their devices, CIOs need to take extra precautions to manage storage and mobility.
HIPAA-compliant cloud services
Many cloud vendors have taken steps toward meeting the unique security needs of healthcare organizations. Some file hosting services, for example, are HIPAA-compliant for users who register for business accounts and sign a business associate agreement (BAA).
Larry Ponemon, chairman and founder of the Ponemon Institute, said a BAA is a good first step to choosing a cloud in healthcare service provider, but loopholes can occur. "A contract is not a guarantee that the organization will meet security requirements," Ponemon explained. "But the key variable is to make sure that you try to do the best you can to find out what else they are willing to share with you about their security practices."
Since mobile devices are owned by individuals and not by the hospital, it may be difficult for IT to put the proper safeguards in place without some user resistance. Physicians and nurses operate under the principle that everything they do is for patients, and they don't want to be bothered with administrative hassles, Ponemon said.
When it comes to using mobile devices and the cloud in healthcare, there's often a bit of defiance, such as "jailbreaking" a device to bypass security protocols. "There's definitely a cultural issue in healthcare that you see consistently across the board," Ponemon said, adding that the clinicians aren't bad people trying to create a problem for the organization -- they simply don't want to be slowed down by security protocols.
MDM and MAM play different roles
One way CIOs and hospital IT can help secure mobile devices is by using mobile device management (MDM) or mobile application management (MAM) tools. MDM provides the IT department access to and control over the entire mobile device, including the ability to wipe the entire device in case of a security incident. MAM, on the other hand, is confined to certain software.
MDM and MAM are a "critical part of the recipe" for keeping sensitive information such as social security numbers or PHI from leaving the premises, said Scott Richert, vice president of enterprise infrastructure services at Mercy, a health system based in Chesterfield, Mo. "We work on a policy that if you're going to use your device for Mercy healthcare purposes, it needs to be protected by our standard mobile device management tools," he said. "As we give more flexibility, there's more in your hands, and you have to be accountable and responsible for it."
Wes Wright, corporate CTO at Sutter Health, headquartered in Sacramento, Calif., said he prefers to use MAM instead of MDM to alleviate some of the concerns employees might have about using their personal devices under the hospital's restrictions. "I want to be as light a touch as possible on people's devices," Wright explained. "When you do mobile device management, you don't have a light touch."
Ensuring data security in the cloud
Beyond MDM and MAM, hospital IT should regularly push security patches and firmware updates to ensure that devices and the data stored on them "maintain a requisite level of security," said Joy Sim, an analyst at management consulting firm Pace Harmon. If hospital staff members are going to use their tablets and smartphones for corporate purposes, data should be stored on a server -- not on the device itself -- so the devices can access it, she noted.
"In this way," Sim added, "data that is stored in a cloud server is more easily encrypted, with less of a security risk associated with having data stolen from mobile devices. As cloud-based tools become an enterprise standard, hospital IT should mitigate the risk of data leaks, especially when syncing data between devices." Hospital IT, she said, also needs to evaluate and determine what types of enterprise data can and can't be stored in cloud in healthcare environments.
Wes WrightCTO, Sutter Health
Ponemon cautioned that department heads outside of IT are increasingly making decisions about what technology they want people to use, and there's a lot of information floating around the hospital that should be nailed down. There might also be multiple copies of a document in different departments, producing what Ponemon called a "clutter" effect. This lack of centralization makes it difficult for the IT department to know and keep track of what information is out there.
Despite the traditional reluctance to adopt the cloud, Sutter Health's Wright said he doesn't think healthcare can afford to do things on premises as it has in the past. "The way the cloud is shaping up, it's a giant tectonic shift in our IT plates," he reasoned. "Those organizations that aren't getting their toes wet, at least, in the cloud, they're going to go the way of the dodo bird."
How healthcare providers can benefit from cloud services
Implement a strong mobile healthcare security plan to prevent attacks
Benefits and drawbacks of mobile in healthcare